On June 16, 2020 the German government released its Corona-Warn-App. There are some key points employers should be aware of concerning the app:
An employer may be thinking about instructing its employees to install and use the Corona-Warn-App on their own devices to reduce the infection risk among its employees. That is not permitted. The legal basis used by the Corona-Warn-App for processing personal data is the user’s consent (Art. 6 (1) (a), Art. 9 (2) (a) GDPR). Consent is only valid if it is granted voluntarily. An instruction from the employer to install the app precludes the voluntary principle because it does not permit a free decision. For that reason, an employer should not issue a mandatory instruction to use the app. The same applies where the employer makes certain activities contingent on the use of the app such as, for example, access to buildings, physical participation in meetings and training courses, participation in company sporting activities, etc. Consent is namely not deemed to be voluntary if employees suffer disadvantages from not using the app. Although a lack of consent is mainly a problem for the controller of the app, i.e. the Robert Koch Institute in this case, it should be noted at the same time that by issuing an instruction, an employer would knowingly force the employee into a situation where the employee’s data may be processed unlawfully. That should be avoided.
The employer also cannot require use of the Corona-Warn-App on the company cell phones that it provides. This situation is subject to the same principles explained above for use on private smartphones. However, the employer is by all means entitled to recommend that its employees use the app as an added extra to the protective measures implemented by the company (working from home, distancing rules, disinfection). It must be clear that this is a non-binding recommendation and not an instruction. If a works council has been constituted, its co-determination rights must be observed.
However, the employer should neither pre-install the app on company cell phones nor install it during day-to-day operation. The employer should permit employees to install the app themselves without any support by the IT department being required. This ensures that employees are provided with comprehensive information about the data processing before or during installation of the app and are asked for their consent. This would not be guaranteed if the app were to be (pre-)installed by the employer.
Installation of the app by the employee does not cause the employer to become the controller as defined in Art. 4 (7) GDPR of the data processing by the app. The decision on whether to install and use the app lies with the employee. The employer has no further influence over data processing performed via the app.
The employer is not permitted to access the data of the Corona-Warn-App, even if it is installed on a company cell phone, because there is no legal basis for doing so. Before returning the company smartphone to the employer, the employee should be instructed to delete the app including all data from the device.
The Corona-Warn-App may notify the user that there has been a risk of infection and of the mathematical level of this risk. This is merely an indicator of a potential infection. A conclusive risk analysis requires additional factors, so a final assessment can only be made in consultation with the family physician or a health authority. The employee is therefore not obligated to report every app notification to the employer and the employer may also not demand reports of this type.
If it appears that there is a relevant risk of infection following medical consultation and there is an internal reporting obligation in such cases, a report must be made to the employer. If the company has rules on how to deal with infection risks, it may also make sense to augment these rules to include app notifications. This creates certainty on how employees who use the Corona-Warn-App need to act.
The employee may not prescribe use of the Corona-Warn-App on private nor on company smartphones because this risks jeopardizing the voluntary nature of the consent. However, an employer may recommend its use to its employees and permit use on company smartphones, taking into account of any co-determination rights of a works council, if constituted. The employer must not access the data. The employee is generally not obligated to report individual app notifications.